Spammers joining and activating with no email.

This has happened a couple times for me so far. I just had it happen again and I am flummoxed as to how somoeone could do this. It really looks like a freaking huge security hole that I cannot identify.

My site is set to auto activate a membership into a very stagnate and unusable standard account. I think that's the only reason this has not become a bigger issue.

Look at rob-j-gorman. (I erased the other 2 email addresses for obvious reasons). There is no email and in fact, he was able to bypass several other required fields, including the description field and self activate!. I have a human question and an activation of your email address is required to become active on my site.

Somehow he has figured out a way to bypass the security of the site and get activated into the default membership. He must be using some sort of modified join page that he has somehow used to bypass mine. I didn't even think it was possible. A search of my files has not turned up any injections or file modifications, including a check of the .htaccess file. Everything is as it should be.

This has me worried. If anyone has an idea, I'd love to hear it. Also, Until this is resolved, I highly recommend your default membership level be set low enough to prevent any kind of damage from someone logging in like this.

This does need to be discussed as this could concern us all.  I think as a security move, I would change the password on the database; are you using strong passwords; i.e. upper and lower case letters, numerals, and symbols and long passwords?  Maybe this was a test run to see if they could get added to your site without using the normal procedure.  If someone did gain access to the database, they could run a script adding hundreds or thousands of accounts in just seconds. Hopefully that is not the case and they did run a manual bypass of your join form to add the account.

Here is a question, how is validation done on the join form?  Is it server side or client side?

I already tried a manual bypass of the join form. The form validates on the client side, so i deliberately tried to submit a mock form bypassing the client side JavaScript check and found out it is checked again server side. So i could not find a way to bypass it. That was my first thought.

 My password for the site is very strong, my password for the server is even stronger. (16 characters, caps and special characters). I have also thought of all this and have been mulling it over for a couple weeks now. I even tried finding a way to create an account, activate it, then delete the details. I have not been able to crack it. The only way I can see right now to protect my site is to go back to the old way where I manually activated everyone. The reason i think they gave up was once they were activated, they found out that my 'standard' account gives them absolutely no access to post anywhere and very little access to read anything. If the standard account gave them forum rights or wall rights, I think they would have continued to create accounts and would have caused all kinds of mayhem.

Well, here is a scary thought.  What if they can create an account and set the role to admin?  That would give them access to your backend.  What happened needs to be found out.  If they did create an account some way bypassing your join form; it may be this was a test for proof of concept.  This does not bode well.

Deano, what if they changed the javascript so that the form was validated client side, would that make a difference or would the server side still kick in?  I am guessing the client side is to just inform the user quickly before sending the form to the server for the true validation; is that correct?

 I tought you can have one admin with backend access only. How would you do that (without modifications)?

Correct. It will still be checked server side when submitted. That was one of my tests. I got the form to pass client side and actually sent it to the server. It was still rejected.

There are other auth modules able to create accounts. Such as my FB connect which i did find a bug in, which i also tested on his site which just crashes the script on his site when i tried to force a submission. So his site is not vulnerable to that bug i located in my module.

There is also the boonex version of FB connect which is also able to create accounts. Which i examined and could not see any issues there. I do not know if he has any other modules that are able to create accounts installed or not.

If it was my module that was used i would know. He has it configured to set memberships to a facebook membership level which would still occurs as that is part of the account creation step. There is only one location within my module that can accept a form submission and that occurs before the account is created. Anyhow, i am patching that now and i will not release anymore details on that anyway in a public forum. However i do know that my module was not the cause despite the issue i found with it simply because of the assigned membership type which is what rules it out.

So the issue is still in dolphin somewhere or with another module that is able to create accounts.

No, you can have as many admins on a Dolphin site as you need.  That is part of the role field in the Profiles table.  Which is why this issue can be scary, if they can create an account and bypass required fields, what is to stop them from adding to the process they are using that will set the role field?  Normally Dolphin assigns that field when you join as a regular user.  However, we are unsure how the bad account was created.

Well a week ago I wanted to do this on purpose but it wouldn't let me log in. We are speaing from that back end? /administration/index.php

A default Dolphin install does not have this option but a few modules do.  The one that I know offhand is Deano's Tools, a free module written by Deano and a must have module for any Dolphin site.  Deano's tool is a powerful module that can do a lot of things, including things that can get you in trouble LOL; like deleting/editing Dolphin's built-in php blocks.  The other way is a database edit of the profile.

Edit: to assign a profile as an admin by editing the database directly, set the role to 3.

Well gaining admin access via a forced form submission via mine or the boonex FB connect mods is impossible.

Even if it was submitted as part of a form submission, the role is hard coded into the php code. It can't be overridden as it's forced to member role just before database creation. So gaining admin access through the connect modules i am pretty sure is impossible.

And then clear the cache. :) That step is always missed.

 Thanks, was about to complain.

Just for review. Here are the non default mods I currently have.

Game Zone

Deanos FBC

Deanos Tools

EVO wall

MobileEvo wall

Auto request (a friends mod I had custom built some time ago)

Deanos Head Injections. (which is currently not being used).

At this point, that's pretty much it. I used to heavily alter the code of my site fixing this and that but for the most part, all of those 'edits' have been removed or replaced with the advent of 7.1. Overall, my site is a pretty basic, default setup. I do have quite a few 'custom' membership levels but I don't see how that would affect the security of the site.

I think I'm going to go ahead and change the password for the DB....

I think that might be a good idea; maybe the account was not added through a form submission at all.

Oh, one other question.

Have you noticed any files on the server that don't belong there? I know thats a tough one. The site has so many files, finding one that should not be there would not be easy.

I ask because if FTP was compromised, a script could be uploaded that would allow the creating of dolphin accounts.

Kinda odd. I get hit with between 2000-3000 spam signup attempts per day. My filters stop all but 2-3 of them, but i have never seen this happen on my site.

Anyhoo. I have been up for a little over 20 hours. Think i am going to take a nap.

Did you try the obvious?

Contact this member to see if its a legit one and the loss of mail data would be a bug?

HOW? lol. no phone, no email, no information at all....

None that I can find Deano. I've opened my FTP and compared directories. All seems to be as it should be. Still looking though.

 dolphin message?

Might have found something.

I have a file called 'three-level-tlds' It appears to be a text file and it contains stuff like this (only a partial sample). I also have one named two-level-tlds witht he same kind of content. They appear to just be basic text files.

0.bg
1.bg
110mb.com
150m.com
163.to
1blu.de
2.bg
2000.hu
3.bg
4.bg
5.bg
6.bg
6a.org
6bone.pl
7.bg
8.bg
9.bg
9k.com
a.bg
a.se
aa.no
aarborte.no
ab.ca
ab.se
abo.pa
ac.ae
ac.am
ac.at
ac.bd
ac.be
ac.ci
ac.cn
ac.com
ac.cr
ac.cy
ac.fj
ac.fk
ac.gg
ac.gn
ac.hu
ac.id
ac.il
ac.im
ac.in
ac.ir
ac.je
ac.jp
ac.ke
ac.kr
ac.lk
ac.ma
ac.me
ac.mu
ac.mw
ac.ng
ac.nz
ac.om
ac.pa
ac.pg
ac.pr
ac.rs
ac.ru
ac.rw
ac.se
ac.sz
ac.th
ac.tj
ac.tz
ac.ug
ac.uk
ac.vn
ac.yu
ac.za
ac.zm
ac.zw
aca.pro
academy.museum
accident-investigation.aero
accident-prevention.aero
act.au
ad.jp
addr.com

 Those are dolphin files.

Yeah I just figured that out. Part of the anti spam system.

Well, then that's it. All the files in my directories have been verified. Nothing there suspicious.

Check 'sys_ip_members_visits' for the decimal IP. php -r "echo long2ip(decimal_IP);" Then go into your logs, find the corresponding IP and check what was accessed.

I can confirm the behaviour SkyForum reported. Although I have not seen profiles without email addresses, I have seen "members" been verified without having any ip address linked to profiles and my BotStopper Module has built-in functionality to deal with that (and other sorts of spam characteristics).

Nevertheless, this sounds like a serious issue and for those who want to arm their site against it I have written two triggers that deal with it at database level. The two triggers below are triggered on insert and update and check if the email field is empty and the role is set to admin.

If the email field is empty, it will get a NULL value, which is not allowed for that field, and therefore gives an error message, resulting in the row not being inserted. It also checks if the "Role" field is set to 3 (admin role) and if so, it will set the "Role" to 1 (user role)

Please keep in mind that if you run the below query you will NOT be able to add new administrators to your site! Not on insert and not on update!!

-- Code by Denre

delimiter $$
CREATE TRIGGER spam_proof_insert
    BEFORE INSERT ON `Profiles`
        FOR EACH ROW
        BEGIN
            IF NEW.`Email` = ''
            THEN SET NEW.`Email` = NULL;
            IF NEW.`Role` = 3
            THEN SET NEW.`Role` = 1;
        END IF;
END;

CREATE TRIGGER spam_proof_update
    BEFORE UPDATE ON `Profiles`
        FOR EACH ROW
        BEGIN
            IF NEW.`Email` = ''
            THEN SET NEW.`Email` = NULL;
            IF NEW.`Role` = 3
            THEN SET NEW.`Role` = 1;
        END IF;
END;
$$

It could be possible that you have to run the two statements seperately

so first run:

delimiter $$
CREATE TRIGGER spam_proof_insert
    BEFORE INSERT ON `Profiles`
        FOR EACH ROW
        BEGIN
            IF NEW.`Email` = ''
            THEN SET NEW.`Email` = NULL;
            IF NEW.`Role` = 3
            THEN SET NEW.`Role` = 1;
        END IF;
END;
$$

When done run the following query:

delimiter $$
CREATE TRIGGER spam_proof_update
    BEFORE UPDATE ON `Profiles`
        FOR EACH ROW
        BEGIN
            IF NEW.`Email` = ''
            THEN SET NEW.`Email` = NULL;
            IF NEW.`Role` = 3
            THEN SET NEW.`Role` = 1;
        END IF;
END;
$$

If you want to remove the triggers you can run the following:

DROP TRIGGER spam_proof_insert;

DROP TRIGGER spam_proof_update;

He has no access to the email or messaging system and I'm not turning it on.

I had a configuration failure in my email system on one of my domains tonight. Not sure how it happened but I lost the dns config I setup to use an outside email server for one of my other domain names. It caused my noreply address that I use for my smtp mod to fail as it tried to send me updates from my towtalk account (trying to find the email domain locally that didn't exist) to the mis-configured domain name. This caused bounced messages.

I do not know if this would cause a problem or create a security hole however because emails sent by noreply@towtalk were being successfully sent to all other domains outside the server.

I am all fixed now but the question remains, what happened to the dns config on the other domain? I didn't change it and somehow it reset to default settings?